Re: [exim] What's the best way to secure both SMTPandPOPauth…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] What's the best way to secure both SMTPandPOPauthentication?
jtelep@??? wrote:

*snip*
>
> Great, this helps so much. Thanks for your help Bill. So just for a
> quick recap to be sure that I understand this correctly, once TLS is
> enabled it handles all of encryption regarding SMTP traffic including the
> authentication.


You can get the gory details on TLS with a brief Google.

Basically, it is the latest incarnation of SSL, with a new flilipo - the ability
to 'negotiate' not only which keys and encryption standards are to be used, but
also whether encryption is offered/accepted *at all*. That allows more flexible
use of ports.

> So I can use sasl-plain auth without being concerned that
> someone can "sniff" the user_id and password because the connection has
> already been encrypted. Let me know if I am off base here at all.
>
> Thanks again!
>


So long as you have set Exim to *only* accept authentication under TLS, *AND*
set the MUA to *always* use TLS, the only thing a 'snooper' should be able to
see 'en claire' is the negotiation handshake. The uid:pwd exchange should take
place *after* the encrypted 'tunnel' has been agreed and established, so even
'plain' is protected and sasl is optional.

You will want to be sure that your smtp MUA-to-Exim-as-MSA is done on the
'submission' port, 587, and not on port 25, which may be blocked/diverted by an
end-user's connectivity ISP. Not all of the relevant settings are in the same
place in ~/configure, but all must be in agreement.

A caveat: Some MUA, if/as/when unable to negotiate a TLS session on the
submission port *at all*, can fall-back to attempting connection via port 25,
and not necessarily attempt authentication, as port 25 will normally accept at
least locally-deliverable mail without requiring auth or encryption.

This can be a 'surprise' vulnerability. Watch for symptoms of longer than
'normal' sending time and Exim rejection of mail for remote destinations with a
'relaying not permitted' message.

Some of the code you may need in addition to a functioning AUTH paragraph:

local_interfaces = <one or more IP on your box>

daemon_smtp_ports = 25 : 587

tls_certificate = /usr/local/etc/exim/certs/<cert name or number>

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

(See also Marc Sherman's post for code in the authenticator itself)


Side, but related issue, to support, but not require, TLS with all peer MX boxen:

tls_advertise_hosts = *

Review the pros and cons of this next option before deciding if you wish to use it:

tls_remember_esmtp = yes